What the demise of Forefront TMG means for Windows Server

Microsoft's highly rated edge-protection product is essentially dead – so where do Windows server security pros go from here?

You may have noted that this past spring, Microsoft told the analyst firm Gartner that it wouldn’t be producing...

another shipping version of its Forefront Threat Management Gateway software.

Specifically, Microsoft indicated—strangely, only in this report and not in any other external communications—that it has placed Threat Management Gateway (TMG) in sustained engineering mode, and it doesn’t intend to offer products in the firewall and secure gateway space in the future. In effect, the product is dead, and in the future it will only get security updates and critical bug fixes; no further innovation will happen on the code base, at least in its present form.

This move left many scratching their heads. From its previous incarnation as Microsoft ISA Server through its rebranding into the Forefront line of products, TMG was considered a “best of breed” product in the security and edge-ware space. Despite it not being—and in some customers’ view, because it wasn’t—an appliance, TMG’s clever and intuitively set-up stateful packet inspection services and Web caching made it a go-to product in many Microsoft shops.

So the folks with the biggest and deepest investments in TMG—the ones using it day in and day out on their networks to keep the bad guys out—are naturally wondering where this move leaves them. What of TMG, and perhaps more importantly, what are the options for the future?

The clearest, most direct option Microsoft has is to fold TMG into its Unified Application Gateway (UAG) product, which is essentially a filter on inbound access to corporate resources. UAG is based on the same filtering engine as TMG; the direction of supported traffic is simply switched. This makes for a logical, and probably relatively simple, move to integrate the now-defunct TMG capabilities into the newer product the software giant is fond of pushing. However, UAG has its disadvantages: it’s mainly available only as a hardware and software combination, it’s somewhat clunky interface-wise, and it’s a lot more costly than TMG ever was. By subsuming the popular bits into a relatively unpopular product, Microsoft might be pushing for more adoption of UAG, but perhaps at an ultimate cost of customer satisfaction.

A less clear but undoubtedly more popular option would be simply to include TMG’s core capabilities within Windows Server 8. Microsoft has already been emphasizing the importance of device firewalls and making sure, from a defense-in-depth standpoint, individual machines and endpoints have the capability to withstand attacks. Including the TMG engine for free to anyone who buys a server license could appeal to both this logic and the customer base and allow the positive aspects of TMG to not get lost within a more complicated, specialized product.

Clearly for shops with a significant investment in ISA Server, Threat Management Gateway and so on, the absence of a future roadmap for the product—and its relegation to the backburner, being provided only security fixes for a limited period of time—is a point of concern. The window is now open for other vendors to provide integration and migration services to TMG customers as Microsoft exits this market. If you’re rethinking your edge protection, it’s a smart move to exclude Microsoft from your plans. In any event, they’ve decided to move on, and you should, too.

Follow SearchWindowsServer on Twitter @WindowsTT.

Jonathan Hassell is an author, consultant, and speaker on a variety of IT topics. His published works include 
RADIUS, Hardening Windows, Using Microsoft Windows Small Business Server 2003, and Learning Windows Server 2003.

Dig Deeper on Windows Server troubleshooting